Deloitte. 


Enterprise Risk Services 


Risk Management Brief 



Reputational risk management is one of those risks that are 
hard to measure, even though it should be addressed in the 
ICAAP process. Nevertheless, it deserves a comprehensive risk 
management framework. 

by Mathias Christiaens, 9 September 2008 


Managing Reputational Risk 


“It takes 20 years to build a 
reputation and five minutes 
to ruin it. If you think about 
that, you’ll do things 
differently.” 

— Warren Buffet 


Why reputation matters 

Several surveys confirm that reputational risk has emerged as a major concern for many 
executives and risk managers, not only in the FSI industry. The increase in reputational risk 
is for the most part attributable to the increasing dominance of intangible assets. In today's 
economy, intangible assets such as brand, intellectual capital, strategic relationships and 
the 'licence to operate' account for 70% to 80% of a company's market valuejl ]. This 
is certainly the case in the financial services industry where the ability to underwrite new 
business is heavily reliant on the standing of the reputation of the firm, a fact that was 
dramatically underscored in this year's takeover of Bear Stearns. 

Despite the increased awareness for reputational risk, most (if not all) organizations will 
admit that they struggle to manage this risk. This brief defines the notion of reputational 
risk, discusses its key drivers and develops a high-level reputational risk management 
framework. 


Defining reputational risk 

An important obstacle in the management of reputational risk lies in the absence of a 
commonly accepted definition thereof. The Basel II Accord recognizes the existence of 
reputational risk but does not define it. It simply states that it is excluded from the definition 
of operational risk, but includes it in the scope of risks to be considered under Pillar II. 

The Committee of European Insurance and Occupational Pension Supervisors (CEIOPS) has 
defined reputational risk as follows[2]: 

"The risk of potential damage to an undertaking through deterioration of its reputation 
or standing due to a negative perception of the undertaking's image among customers, 
counterparties, shareholders and/or regulatory authorities." 


Audit . Accounting .Tax . Consulting . Corporate Finance 



Risk Management Brief 

September 2008 


CEIOPS goes on to say that reputational risk should be regarded as 
less of a separate risk, than one consequent on the overall conduct 
of an undertaking. Similarly, The Economist Intelligence Unit referred 
to reputational risk as "the risk of risks" [3], Indeed, each credit, 
market or operational loss event has the potential to harm your 
organization's reputation as a second order impact. What's worse, 
the damage inflicted to a firm's reputation could well prove to be 
more significant than the first order impact, the underlying loss 
itself. 

A striking example is Northern Rock. The origin of the bank's 
problems presumably lay in its inadequate liquidity risk 
management. It failed to address its dependence on money 
market funding, which dried up in the context of the global credit 
crunch. This problem, however, was addressed when the Bank of 
England provided a liquidity support facility, helping the bank to 
fund its operations during the period of turbulence in financial 
markets whilst the bank could take the required actions to resolve 
its structural problems. At the end of the day, however, the bank 
was not affected as much by its liquidity problems as it was by the 
erosion of consumer confidence (remember the headline pictures 
of people lining up on the streets waiting to withdraw their funds). 
The bank run initiated a vicious circle of ever increasing liquidity 
problems. In the end, the reputational damage was to blame for the 
downfall of the bank. 

Notwithstanding the fact that the majority of reputational 
damage can be described as a second order impact, a number of 
reputational risks can nevertheless be classified as 'independent 
risks' meaning that reputational damage could be considered 
as a first order impact. These independent risks can often be 
associated with ethics. Organizations that do not abide by high 
ethical standards and that ignore principles of market conduct are 
vulnerable to losing their customers' trust and confidence. In short, 
each organization has a social responsibility that it cannot ignore 
and that it must address in its corporate governance. 

Linkage between capital adequacy and reputational risk 

A fiercely debated topic is whether a financial institution must 
consider foreseeing capital for reputational risk. 

Naturally, setting aside capital to absorb unexpected losses 
attributable to reputational damage requires a quantitative risk 
assessment. For reputational risk, such quantification will prove 
to be difficult due to a lack of generally accepted measurement 
methodology. In anticipation of a market consensus hereon, many 
firms are currently arguing that the assessment of reputational risk is 
above all a qualitative assessment based on expert judgment. 

This point of view seems to be supported by the Committee of 
European Banking Supervisors which has stated that setting a 
capital requirement is only one tool made available by the CRD[4], 
Supervisors recognize that while capital has an important role to 
play in the mitigation of risks, it may not always be the sole or 
best solution to mitigating risk. For less quantifiable risks (such as 
reputational risk), the focus of the ICAAP could indeed be more on a 
qualitative assessment, risk management and mitigation. 

Whether financial services firms have quantified their reputational 
risk or not, it seems fair to conclude that supervisors will expect 
all financial firms to be able to demonstrate that they have 


implemented a comprehensive set of procedures and internal 
controls aimed at reducing reputational risk to a minimum. 

Does this mean that quantifying reputational risk is a useless effort? 
No! On the contrary, the ability to quantify reputational risk is 
helpful in prioritizing and presenting the sources of reputational 
risks to senior management. A firm that is able to combine the 
best of both worlds, i.e. being able to understand its exposure 
to reputational risk through quantification and being capable of 
dealing with the risk through reputational risk management has a 
clear competitive advantage. 

Managing reputational risk: prevention is the best remedy 

Effectively managing reputational risk can be achieved by applying 
the well-known framework of identification, assessment and 
management. 

Identification 

A prerequisite enabling a firm to identify potential events that may 
negatively affect its reputation is acknowledging that reputation is 
owned by the stakeholders. 

Every organization has a multitude of stakeholders: investors, 
customers, employees, management, board of directors, regulators, 
suppliers, the community in which the firm operates, etc. These 
stakeholders have an array of expectations covering different 
aspects of corporate performance. 


Customers 


Suppliers 

• Product quality, value 


• Volume of business 

• Service 


• Sound management & 

• Trust, respect 


operations 
• Financial stability 

Employees 


Regulator 

• Pleasant workplace 


• Timely reporting 

environment 


• Sound corporate governance 

• Fair compensation, 
knowledge building 

• Equal opportunities 


• Transparent communication 

Investors 


Community/Society 

• Return on investment 


• Community involvement 

• Earnings growth 


• Fair treatment of people 

• Regulatory compliance 


• Respect for environment 


A firm's reputation is determined by how the stakeholders perceive 
its performance in each of these aspects. The reputation is at risk as 
soon as expectations of the firm's performance exceed underlying 
reality. In order to avoid damage to its reputation, the firm should try 
and close the gap by either improving performance or by managing 
the expectations down to the more realistic levels. 

Failure to take actions aimed at closing the expectations gap will be 
detrimental. Sooner or later, the inability to perform in accordance 
with the stakeholders' expectations will be revealed. Not only 
will the organization then face severe reputational damage, it 
could also find itself at the other end of the pendulum, with its 
reputation falling short of its actual performance. In other words, 
any realisation of the classical risk categories is likely to give 


2 





Risk Management Brief 

September 2008 


information on the company's performance in the light of prevailing 
expectations. Hence our earlier assertion that reputational risk is a 
second order risk. 

Closing the expectations gap, however, could in itself expose the 
organization to reputational risks. If, for example, the performance 
of a firm fails to meet investor expectations, management could 
be tempted to stray towards unrestrained market performance 
to increase its financial performance (e.g. market share, earnings 
growth, ROI, etc). In taking these actions, however, management 
should always keep in mind that it should continue to abide by its 
ethical standards. Actions such as aggressive selling could perhaps 
decrease the gap with investor expectation, but are likely to increase 
the expectations gap with customers who might lose their trust and 
respect. Balancing between the different stakeholder expectations is 
one of the main challenges of reputational risk management. 

Once the stakeholder expectations have been identified, the 
organization should make an effort to identify the incidents that, 
should they occur, would fall short of these expectations and 
therefore damage the firm's reputation. 

The following techniques can be used to identify both stakeholder 
expectations and potential reputational events: 

• Media analysis (television, newspapers, magazines, blogs, 
message boards, etc) 

• Interviews with front-line employees (i.e. those employees that 
are frequently in contact with suppliers, customers, investors, 
bankers, etc and are therefore well aware of the issues raised 
by these stakeholders) 

• Brainstorming with management 

• Industry research. 

Due to the dynamic nature of stakeholder expectations, this step 
must not be viewed as a one-off effort. Every organisation must 
continuously monitor changes in the stakeholder expectations. 

Assessment 

Having identified the events that could damage the firm's 
reputation, each event needs to be assessed in terms of the 
likelihood that it will occur and the severity of the reputational 
damage which may result if it occurs. 


Risk rating scales can be used both for the assessment of likelihood 
and severity. The table below is a simplified approach. 


Likelihood 

Severity 


High 

Likely to occur 
at least once per 
year 

High 

Regulator, clients, public 
opinion impacted, loss 
of clients 


Likely to occur 
once every few 
years 

Medium 

Regulator or client 
impacted, few clients 
lost 

Low 

Very remote 
probability of 
occurrence 

Low 

Regulator or client 
impacted, no clients lost 


When combining the likelihood and the severity, a risk score is 
obtained. This score can help to prioritize the risks and to aid in 
decision making. 



High 

Medium 



o 

o 

_c 

Medium 

Low 

Medium 


"a5 

Low 

Low 

Low 

Medium 



Low 

Medium 

High 


Severity 


In addition to a qualitative assessment, firms could also opt to 
perform a quantitative assessment of their reputational risk. The 
objective of such quantitative assessment is to measure the impact 
of reputational damage in terms of reduced operating revenues due 
to loss of clients, increased compliance and other costs to restore 
confidence, and perhaps the increase in the cost of capital as a 
result of the reputational event. 

An array of techniques exists, varying from straightforward to 
complex. Examples of techniques include: 

• Examining a firm's stock price reaction to the announcement 
of a major operational loss event. If the firm's market value 
declines by more than the announced loss amount, this is 
interpreted as a reputational loss[5] 

• The actuarial approach, whose focus is the loss distribution. 
Frequency and loss severity are modelled separately and then 
aggregated using either Monte Carlo or numerical techniques 

Whilst quantification is arguable as much an art as it is a science, 
we believe quantification is useful even where there are large 
uncertainties. It contributes to intelligent decision making and 
makes the risks even more tangible. Naturally, decision makers 
should continue to give due consideration to factors that defy 
quantification and that are thought to be important. 

Management 

The ERM Integrated Framework proposed by COSO defines four risk 
responses: 

• Avoiding 

• Accepting 

• Reducing 

• Sharing 

Avoiding risks that can cause reputational damage is far from 
obvious since these risks are often embedded in the core of the 
business. A classic example, however, of a risk that can be avoided 
is the reputation risk linked to mergers and acquisitions. When 
making strategic investment decisions, management should look 
into the litigation, regulatory and compliance history of its target. 
Targets that engage in wrongful conduct are often better avoided to 
prevent reputational damage to the acquirer. Another example is the 
risk of mis-selling, a risk that can be avoided by being less aggressive 
on sales targets. 


3 



Risk Management Brief 

September 2008 


Accepting certain reputational risks is a strategy that must be 
implemented with great care. This links back to the fact that 
expectations can, and do, change over time. Take the example of 
oil companies in the previous century. During many years, little 
attention was paid to environmental issues. Whilst behaviour such 
as oil spills was criticized in the media, it was not sanctioned. 
Consequently, companies in the oil industry accepted the risk 
of a spill. Then, suddenly, a large oil spill in 1969 ignited an 
environmental movement resulting in stakeholders to raise the 
bar, expecting all organizations to strengthen their environmental 
efforts. Companies that failed to do so and continued to neglect 
environmental concerns suffered important reputational damage. 

Reducing reputational risks through preventive and detective control 
activities is the most likely and often the most appropriate response. 
Control activities should be designed such that they reduce as much 
as possible the first order risks (e.g. operational risks). 

In the context of reducing reputational risks, the importance of 
corporate governance deserves to be highlighted. Firms should 
articulate, disseminate and enforce an ethical code throughout 
the business. Employees at all levels of the organization should 
be well aware of the risks and events that could affect the firm's 
reputation. The objective should be to develop and reinforce a true 
risk management culture in which compliance is put on top of the 
agenda. 

Sharing risks in the context of reputational risk management is 
rare, and not recommendable. By nature, reputational risk is not 
something that can be legally transferred. Therefore, firms must be 
aware that they can even suffer reputational damage as a result of 
actions taken by others. A good illustration of this is the effect of 
the market distress that began in the second half of 2007. Banking 
organizations under no contractual obligations provided voluntary 
support to ABCP conduits and other off-balance sheet financing 
vehicles, including structured investment vehicles (SIVs), because 
of concerns about the potential damage to their reputation and to 
their future ability to sell investments in such vehicles if they failed to 
provide support during the period of market distress[6]. 

The overall aim of managing reputational risk should be to close 
the gap between the stakeholders' expectations and the true 
performance of the organisation. This links back to the observation 
that reputation is at risk as soon as the expectations exceed reality. 
Should an organisation identify an expectations gap, it needs to 
either lower expectations (through communication) or increase 
performance (through operations). 

Preparing for the worst: developing a crisis response strategy 

Evidently, no matter how well-developed the risk mitigation tools 
in place (crisis prevention), no firm can fully avoid being exposed 
to reputational risk events. This leads us to the importance of crisis 
management, aimed at minimizing the damage caused by such 
events. Being able to respond effectively to crisis events is likely to 
prove to be a much more efficient means of mitigating reputational 
damage than (just) setting aside capital. Therefore, it is best practice 
for firms to develop a crisis response strategy. Such a strategy would 
typically include at least the following elements: 


• Identify a crisis response team for which the roles and 
responsibilities are clearly defined 

• Prepare draft versions of internal and external communications 
with all key stakeholders 

• Ensure fast access to relevant data that the crisis response team 
will need to make its decisions 

• Simulate crises in order to test the crisis management plans 

This last point is often overlooked. Having a crisis management plan 
is a good first step, but it will only become useful once it is tested 
through simulation exercises. Simulating a crisis enables errors to be 
identified and addressed and lessons to be learned. Unfortunately, 
crises will rarely happen as envisioned during the simulations. 
Therefore, the crisis management plan should be flexible enough 
and the people in charge of executing the plan must have the ability 
to adapt accordingly. 

Conclusion 

Whilst many organizations are aware of the importance of 
reputational risk management, only few organizations have 
implemented a true reputational risk management framework. The 
main challenge is recognizing the need for a focused approach and 
assigning one person with the responsibility to execute this. When 
done properly, the benefits will far outweigh the costs and the 
organization will be assured that its most important intangible asset 
is well protected. 

References 

1 . "Reputation and its Risks", by Robert G. Eccles, Scott C. 

Newquist, and Roland Schatz, Harvard Business Review, 

February 2007 

2. "Risk Management and Other Corporate Issues", Issues Paper, 
CEIOPS, 17 July 2007 

3. "Reputation: Risk of Risks", The Economist Intelligence Unit, 
December 2005 

4. Guidelines on the Application of the Supervisory Review Process 
under Pillar 2 (CP03 Revised), Committee of European Banking 
Supervisors , 25 January 2006 

5. "Measuring Reputational Risk: The Market Reaction to 
Operational Loss Announcements", Jason Perry and Patrick De 
Fontnouvelle, available at http://papers.ssrn.com/sol3/papers. 
cfm?abstractjd=861 364&rec=1 &srcabs=9673 1 3 

6. "Observations on Risk Management Practices During the 
Recent Market Turbulence", Senior Supervisors Group, March 
6, 2008, available at http://www.newyorkfed.org/newsevents/ 
news/banking/2008/ssg_risk_mgt_doc_final.pdf 


To further discuss reputational risk, please contact: 

Dr. Frank De Jonghe, Partner, ERS, tel + 32 3 800 88 89, 
fdejonghe@deloitte.com 

Mathias Christiaens, Manager, ERS, tel + 32 3 800 86 47, 
mchristiaens@deloitte.com 


4 




This document is intended to provide general information on a particular subject or subjects and is not an exhaustive 
treatment of such subject(s). Accordingly, the information in this document is not intended to constitute accounting, 
tax, legal, investment, consulting or other professional advice or services. Before making any decision or taking any 
action that might affect your personal finances or business, you should consult a qualified professional adviser. 

This document and the information contained herein is provided "as is," and Deloitte Touche Tohmatsu makes no 
express or implied representations or warranties regarding this document or the information. Without limiting the 
foregoing, Deloitte Touche Tohmatsu does not warrant that the document or information will be error-free or will 
meet any particular criteria of performance or quality. Deloitte Touche Tohmatsu expressly disclaims all implied 
warranties, including, without limitation, warranties of merchantability, title, fitness for a particular purpose, 
noninfringement, compatibility, security, and accuracy. 

Your use of this document and information is at your own risk. You assume full responsibility and risk of loss resulting 
from the use of this document or information. None of Deloitte Touche Tohmatsu, or any of its national practices 
or affiliates, or any partners, principals, stockholders, or employees of any, thereof will be liable for any special, 
indirect, incidental, consequential, or punitive damages or any other damages whatsoever, whether in an action of 
contract, statute, tort (including, without limitation, negligence), or otherwise, relating to the use of this document or 
information. 

Deloitte Touche Tohmatsu hereby authorizes you to view, copy, print, and distribute this document subject to the 
following conditions: 

1. The document is used for informational purposes only. 

2. The document is used for non-commercial purposes. 

3. Any copy of this document or portion thereof must include this copyright notice in its entirety. 

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of 
which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of 
the legal structure of Deloitte Touche Tohmatsu and its member firms. 


Member of 

Deloitte Touche Tohmatsu 


© September 2008 Deloitte Enterprise Risk Services. All rights reserved. 
Designed and produced by the Creative Studio at Deloitte, Belgium. 


